Halfords spanked: The importance of consent in data protection
Posted by Robin Caller on January 31, 2023
Once upon a time, Halfords was the national treasure often used as an example of a company that could send spam without irritating anyone. People would say, “There’s a big difference between getting an email from Halfords, versus the penis enlargement, Botox, or Viagra kind of email. Nobody minds getting an email from Halfords giving them a 10% discount for the weekend. Everyone needs a puncture repair kit, some WD40, or some new bulb for their glovebox. On the other hand, not everyone needs little blue pills, facial Polyfilla, or tubular pumps.
The Halfords’ fairy tale has ended. The Information Commissioner’s Office (ICO) fined Halfords Limited for sending nearly 500,000 unsolicited marketing emails to people without their consent. Now, the retailer must pay £30,000 in fines, and we can all be sure we’ll receive no more unwanted messages about L plates and car mats.
These days, it is very simple.: “consent is king”. It’s not something anyone can ignore. The regulatory framework came into force nearly four years ago. Everyone has had enough time to adjust.
The bizarre thing is that legal obligations should be seen as “minimum requirements” and not as some sort of high bar that is difficult to overcome. How on earth has Halfords ended up being fined, when they have had three years to make the changes that were required? What exactly went wrong?
So, what went wrong?
The short answer would be “nothing too much”. The volume of emails sent without consent, and the size of the penalty, suggest this was more of an honest mistake than an act of gross negligence. But it is important to bear in mind that it only takes one complaint for the ICO to start an investigation. While 499,999 people may be happy to know that tire pumps are on special, it only takes one frustrated person to go here.
From thereon, Advertisers and Data Controllers like Halfords face the potential of a costly investigation and monetary penalties. In this case, we would hazard a guess the investigation cost outweighed the size of the penalty.
Although spanked, it was more a case of “six of the best” and hardly a complete public flogging. Perhaps Halfords made an easy mistake, and accidentally sent emails to a delta of data that was not properly consented. Maybe they even had the proper consent, but it could not be evidenced.
We have not called Halfords for comment, therefore we can’t answer either of these suppositions, but we have drawn some conclusions. We know there is nothing more than a cursory understanding about Halfords’ fine. But this is a learning opportunity for everyone sending marketing emails: you need to change how you operate.
Halfords is a major brand, a household name, and that brand has quite some equity. People involved in Marketing and Data Protection have a genuine need to protect and safeguard that reputation. As Gerald Ratner can ratify, it is hard to build a reputation, and very easy to trash a brand. Perhaps that saved Halfords. Perhaps the affected individuals weren’t disturbed or distressed to receive these unsolicited emails. Maybe each only received one. Therefore, that may well have been a factor in the size of the penalty.
Nevertheless, the challenge is not to reduce the size of penalties, the challenge is not to send unsolicited emails. Just because Halfords’ fine was only £30,000 that’s hardly any comfort for everyone. The bigger message is clear: sending unsolicited emails will result in investigations and will result in penalties.
The Meta level
While a £30,000 penalty is not eyewatering, the penalty recently meted out to Meta in Europe, for bundling their consent, by forcing people to provide consent in exchange for the use of Facebook, should remind us of what’s at stake. After all, they were fined in £340M.
Meta’s approach is quite obviously a flawed one to obtaining consent. Even we could see that, and we have no privacy crusaders like Max Schrems or Johnny Ryan on our team. For us, it was quite simple and obvious. The regulations say you cannot bundle consent, and Meta was bundling consent. But they’re hardly alone.
How many of us find ourselves trying to visit websites on our mobiles and are often forced to accept cookies because the reject button is not so readily available? All such consents are equally as unlikely to survive an ICO inspection. Given that 92% of internet use is via mobile phones, this habit of covering the 4-inch screen until consent is obtained is hardly going to meet the requirement that consent is “freely given”. It’s not. It’s given out of frustration.
Consequently, anybody obtaining consent using deceptive patterns or other psychologically manipulative or user-unfriendly mechanisms should be put on notice. They will not survive an impending ICO investigation. Both personal and corporate reputations ride on some very questionable practices.
Effective and robust consent management is still a significant challenge for brands, but the technology required to meet their obligations is readily available. It is also very cost-effective and simple to implement.
Believe it or not, there is actually “no good reason” why any firm should be sending unsolicited emails and no good reason why any firm should be unable to document and evidence the consent upon which they rely.
Some software pieces have the functionality to onboard consented data, check it for accuracy, document, and evidence the consent obtained. They deliver user preference solutions, and act as an orchestrator across multiple systems, serving as the gatekeeper between outbound marketing solutions and the individuals. We should know. We own one.
What is dawning on us is that we are quite poor at explaining this to people (such as Halfords), and we are also realizing that the cost of our technology solutions is actually far less than the cost of an investigation, let alone a penalty, from the ICO.
Put another way, our consent management software is becoming more of a no-brainer every day. Every time we read about a famous brand falling foul of the law, we ask ourselves how we can improve at getting the message out there that we have a fix. We have a solution.
Whatever led to the Halfords’ investigation and penalty, could have easily been avoided. It is no longer difficult to manage the data under control, to meet regulatory obligations, and to ensure process controls and safeguards are built into marketing workflows.
It’s not expensive. It’s not difficult. It doesn’t take long to implement. And it’s not complicated.
The humiliation and cost of investigations, and the image damage, can easily be avoided. The bottom line is that Halfords and all brands require solutions like the LeadScale Engine, complete with the Provenance functionality and orchestration software.
But make no mistake. We’re certainly not sitting in our offices with a smug “I told you so” attitude. We’re sitting around kicking ourselves for not telling you so any sooner. But we are fixing that. We are becoming customer number one of our own uncommon personal data marketing technology, and we improving our outbound marketing.
Contact us to learn more about the Engine.